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(a) Without a guard. 



(b) With a guard... 



jump import ant_target 

» • • 
• • • 

mem[%r] mem[%r] + 1 




client : 

jump important^target 



mem[%r] +- memfclient] 
mem[%rl +- mem[%r] - k 



pit. IA~ 



EJ915569813US 
P00620US00 (19232.0003) 



Checksum C 


imputations 


(checksums stored in Vl,...,Vn) 




Vl,...,Vn 






Conditional 


Computations 


using (Vl,Cl),...CVn,Cn) 
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// template 1 

movl $RAND0M1 , CHECKSUM_1 // RANDOMJ = any integer 

movl $START_1,TEMP_1 
LABEL J: 

Cmpl $END_1, TEMPJ 

jg LABEL 2 

addl (TEMP_1), CHECKSUMJ 

addl $RAND0M_2, TEMP_1 // RANDOMJ in [3,5] 

jmp LABELl 
LABEL_2: 

//template2 

movl $START_1+END_1+RAND0M_1 , TEMPJ // RANDOMJ = any 
integer 

xorl CHECKSUMJ, CHECKSUMJ 

movl TEMPJ, CHECKSUM_2 
LABELl : 

addl -END 1 -RANDOM_l (TEMPJ ), CHECKSUM_1 

xorl -ENDJ -RANDOM_2+3(TEMP_l ), CHECKSUMJ 

subl $-RANDOM_2, TEMPJ // RANDOMJ in [3,5] 

cmpl $END_l+END_l+RANDOM_l,TEMP_l 

jle LABEL_1 



FIG. 3 



) 
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(x+3)(y + 7) g) 

(x + 3 + 0)(y + 7 + 0) (2) 

(x + 3 + u-«o)0 + 7 + w 0 -w) iffu = M 0 andw = w<, (3) 

(jc + « + */)()> -w + fe) where /r/ = 3-K0 and fc = 7 + w 0 (4) 



FIG.4 
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FIG. 5 



exit 
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1 main: 

2 

3 

4 

5 

6 

7 

8 

9 
10 
11 
12 
13 
14 

15 nextl: 

16 

17 

18 

19 

20 

21 

22 

23 

24 next2 

25 

26 

27 

28 

29 

30 

31 

32 prfact: 

33 

34 

35 

36 

37 

38 

39 

40 .L94 

41 

42 

43 

44 

45 .L96 

46 

47 

48 

49 

50 

51 

52 .L98 

53 

54 

55 

56 



leal -4(%esp), %esp // %esp := %esp - 4 

movl %ebp, (%esp) // mem[%esp] := %ebp 

movl %esp, %ebp 

subl $8, %esp // %esp := %esp - 8 

leal -8(%ebp), %eax 

leal -4(%esp), %esp 

movl %eax, (%esp) 

leal -4(%esp), %esp 

movl Sstrl, (%esp) 

leal -4(%esp), %esp 

movl Snextl , (%esp) // mem[%esp] := Snextl 

jmp scanf //jump to location scanf 

addl $8, %esp // %esp :=%esp + 8 

leal -4(%esp), %esp 

movl -8(%ebp), %eax // %eax := mem[%ebp-8] 

movl %eax, (%esp) 

leal -4(%esp), %esp 

movl $next2, (%esp) 

jmp pr_fact 

addl $4, %esp 

movl %ebp, %esp 

movl (%esp), %ebp 

leal 4(%esp), %esp 

leal 4(%esp), %esp 

jmp *-4(%esp) 



leal -4(%esp), %esp 

movl %ebp, (%esp) 

movl %esp, %ebp 

subl $4, %esp 

movl $l,-4(%ebp) 

jmp .L94 



cmpl $ 1 , 8(%ebp) // mem[%ebp+8] - 1 = ?? 

g .L96 //if??>0,jmp.L96 



jmp .L98 



movl -4(%ebp), %eax 

imul 8(%ebp), %eax // %eax := %eax * mem[%ebp+8] 

movl %eax, -4(%ebp) 

subl $1, 8(%ebp) 

jmp .L94 



leal -4(%esp), %esp _ - 

movl -4(%ebp), %eax L A~ 



movl %eax, (%esp) 

leal -4(%esp), 
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57 movl $str2, (%esp) 

58 leal -4(%esp), %esp 

59 movl $next3, (%esp) 

60 jmp printf 
61 

62 next3: 

63 addl $8, %esp 

64 movl %ebp, %esp 

65 movl (%esp),%ebp 

66 leal 4(%esp),%esp 

67 leal 4(%esp), %esp 

68 jmp *-4(%esp) 
69 



//jump to addr in mem[%esp-4] 



FHr. CI 
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1 main: 

2 

3 

4 

5 

6 

7 

8 

9 
10 
11 
12 
13 
14 

15 nextl: 

16 

17 

18 

19 

20 

21 

22 

23 endl: 
24 

25 next2: 

26 

27 

28 

29 

30 

31 

32 

33 prfact: 
34 

35 
36 
37 
38 
39 
40 
41 
42 

43 guardl 1: 

44 

45 

46 

47 

48 

49 

50 

51 guardl_2: 

52 

53 

54 

55 

56 



leal -4(%esp), %esp 

movl %ebp, (%esp) 

movl %esp, %ebp 

subl $8, %esp 

leal -8(%ebp), %eax 

leal -4(%esp), %esp 

movl %eax, (%esp) 

leal -4(%esp), %esp 

movl $strl, (%esp) 

leal -4(%esp), %esp 

movl Snextl, (%esp) 

jmp scanf 

// start of client 

addl $8, %esp 

leal -4(%esp), %esp 

movl -8(%ebp), %eax 

movl %eax, (%esp) 

leal -4(%esp), %esp 

movl $next2, (%esp) 

jmp prfact 

// end of client 



addl $4, %esp 

movl %ebp, %esp 

movl (%esp), %ebp 

leal 4(%esxp), %esp 

leal 4(%esp), %esp 

jmp M(%esp) 



leal -4(%esp), %esp 

movl %ebp, (%esp) 

movl %esp, %ebp 

subl $4, %esp 

// guard installation site 

movl $100, gl 

movl Snextl, %eax 

cmpl $endl,%eax 

jg guard 1_2 

movl gl,%ecx 

addl (%eax), %ecx 

movl %ecx, gl 

addl $3, %eax 

jmp guardl_l 



II end of checksumming: (gl, G!) 

movl $-G 1 + 1 , %eax // G 1 is the checksum constant 

addl gl, %eax 
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57 movl %eax, -4(%ebp) 

58 jmp .L94 
59 

60 X94: 

61 leal 8+Gl(%ebp), %eax 

62 subl gl,%eax 

63 movl (%eax), %eax 

64 cmpl $l,%eax 

65 jg X96 

66 jmp .L98 
67 

68 .L96: 

69 movl -4(%ebp), %eax 

70 imul 8(%ebp), %eax 

71 movl %eax, -4(%ebp) 

72 subl $l,8(%ebp) 

73 jmp .L94 
74 

75 .L98: 

76 leal -4(%esp), %esp 

77 movl -4(%ebp), %eax 

78 movl %eax, (%esp) 

79 leal -4(%esp), %esp 

80 movl $str2,(%esp) 

81 leal -4(%esp), %esp 

82 movl $next3, (%esp) 

83 jmp printf 
84 

85 next3: 

86 addl $8,%esp 

87 movl %ebp, %esp 

88 movl (%esp), %ebp 

89 leal 4(%esp), %esp 

90 leal 4(%esp), %esp 

91 jmp *-4(%esp) 
92 
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FIG. 9 0- 
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(b) The corresponding guard graph 
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FIG. 9H 
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FIG. 91 
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CFG-merging 

ZTZ 

CFG-cloning 



Data-aliasing 




EJ915569813US 
P00620US00 (19232.0003) 



addi<x)sB 




FIG. 11 
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puahl %cbp 
movl %esp,%ebp 
•ubl $ 12,%«op 
movl ICJbodtf %eax 
jap *eax , 



gl - <12 P 20> 
q2 » <$f_body r $g_J>ody> 



puahl %ebp 
movl %eap, %ebp 
aubl 9 20,%««p 
movl 
jnp *eax 



IfLJaody 

6 



puahl %«bp 
movl %eop,%ebp 
aubl gl,%«ap 
movl g2,%Mx 
jmp *eax 

*J>ody /\ gJ>ody 

O 0 
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1 main: 

2 movl $38, g2 //g2=38 <38> 

3 movl $main_2+30, %eax 

4 subl g2, %eax 

5 movl %eax,g3 // g3=main_2+30-g2 <main2-8> 

6 jmp mainl 

7 // g2=<32>, g3=<main>8> 

8 mainl: 

9 prfact: 

10 leal -4(%esp), %esp 

11 subl $30, g2 // g 2=g2-30 <8,4> 

12 movl %ebp,(%esp) 

13 movl g2,%ebp 

14 addl %ebp,g3 //g3=g3+g2 <main_2,pr_fact__l> 

15 movl %esp, %ebp 

16 subl g2, %esp 

17 movl g3, %eax 

18 jmp *%eax 

19 // gl=<,?> g2=<8,4>, g3=<mam_2,pr_fact_l> 

20 main_2: 

21 addl $26, g2 // g 2=g2+26 <34> 

22 leal -8(%ebp), %eax 

23 leal -4(%esp), %esp 

24 movl %eax,(%esp) 

25 leal ~4(%esp), %esp 

26 movl $strl,(%esp) 

27 leal -4(%esp), %esp 

28 movl $nextl,(%esp) 

29 jmp scanf 

30 //g2=<34> 

31 nextl: // client start 

32 addl $8, %esp 

33 leal -4(%esp), %esp 

34 movl $pr_fact_l-38, %eax 

35 addl g2, %eax 

36 movl %eax,g3 // g3=g2+prJact_l-38 <pr_fact_l-4> 

37 movl -8(%ebp), %eax 

38 movl %eax, (%esp) 

39 leal -4(%esp), %esp 

40 movl $next2, (%esp) 

41 jmp prjact 

42 // g2=<34>, g3=<pr_fact_l -4> 

43 endl: //client end 

44 next2: 

45 addl $4, %esp 

46 movl %ebp, %esp 

47 movl (%esp), %ebp 

48 leal 4(%esp), %esp 

49 leal 4(%esp),%esp rT/A 

50 j,mp *-4(%esp) JIZ^ 

51 pr_fact_l: // guard installation site m ^ m 

52 " movl , $100, gl 

53 movl $nextl, %eax 

54 jmp guardl_l 

55 //gl=<?> 

56 guardl_l: 
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57 




cmpl 


$endl, %eax 


58 




jg 


guard 12 


59 




jmp 


guard 1_3 


60 




//gl=<?> 




61 


guardl_3: 






62 




movl 


gl, %ecx 


63 




addl 


(%eax), %ecx 


64 




movl 


%ecx, gl 


65 




addl 


$3, %eax 


66 






guardll 


67 




//gl=<?> 




68 


guardl_2: 






69 




// end of checksumming: (gl, Gl) 


70 




movl 


S-Gl+l, %eax 


71 




addl 


gl, %eax 


72 




movl 


%eax, -4(%ebp) 


73 




jmp 


.L94 


74 




//gl=<Gl> 




75 


.L94: 






76 




leal 


8+Gl(%ebp), %eax 


77 




subl 


gl, %eax 


78 




movl 


(%eax), %eax 


79 




cmpl 


$l,%eax 


80 




jg 


.L96 


81 




jmp 


X98 


82 




//gl=<Gl> 




83 


X96: 






84 




movl 


-4(%ebp), %eax 


85 




imul 


8(%ebp), %eax 


86 




movl 


%eax, -4(%ebp) 


87 




subl 


$l,8(%ebp) 


88 




jmp 


.L94 


89 


.L98: 






90 




leal 


-4(%esp), %esp 


91 




movl 


-4(%ebp), %eax 


92 




movl 


%eax, (%esp) 


93 




leal 


-4(%esp), %esp 


94 




movl 


$str2, (%esp) v 


95 




leal 


-4(%esp), %esp 


96 




movl 


$next3, (%esp) 


97 




jmp 


printf 


98 


next3: 






99 




addl 


$8, %esp 


100 




movl 


%ebp, %esp 


101 




movl 


(%esp), %ebp 


102 




leal 


4(%esp), %esp 


103 




leal ' 


4(%esp), %esp 


104 




jmp 


*-4(%esp) 



105 



//gl^<Gl> 



flG-. HZ 
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1 main: 

2 movl $38, g2 //g2=38 <38> 

3 movl $scanf-1000,g5 //g5=scanf-1000 <scanf-1000> 

4 movl $main_2+30, %eax 

5 subl gl, %eax 

6 movl %eax,g3 // g 3=main_2+30-g2 <main__2-8> 

7 jmp main_l 

8 // g2-<38>, g3=<main_2-8>, g5=<scanf-1000> 

9 main 1: 

10 prjact: 

11 leal -4(%esp), %esp 

12 subl $30, gl //g2=g2-30 <8,4> 

13 movl %ebp, (%esp) 

14 movl g2, %ebp 

15 addl %ebp,g3 //g3=g3+g2 <main_2,prjact_l> 

16 movl %esp, %ebp 

17 subl g2,%esp 

18 movl $1000, %eax 

19 addl g5,%eax 

20 movl %eax,g4 //g4-g5+1000 <scan£> 

21 movl g3, %eax 

22 jmp *%eax 

23 // gl=<,?> g2=<8,4>, g3=<main_2,pr Jfactl g4=<scanf,> 

24 main_2: 

25 ~ addl $26, g2 v // g 2-g2+26 <34> 

26 movl $next 1-794320, %eax 

27 addl g2, %eax 

28 movl %eax,gl // gl=g2+next 1-7943 20 <next 1-7942 8 6> 

29 leal -8(%ebp), %eax 

30 leal -4(%esp), %esp 

3 1 movl %eax, (%esp) 
.32 leal -4(%esp), %esp 

33 movl $strl, (%esp) 

34 jmp main 2 1 

35 // gl-<nextl-794286>, g2=<34>, g4=<scanf> 

36 nextl ; // client start 

37 addl $8, %esp 

38 leal -4(%esp), %esp 

39 movl $pr_fact_l-38, %eax 

40 addl g2, %eax 

41 movl %eax,g3 // g3=g24pr_factJ-38 <pr_fact_l-4> 

42 addl $next2-794286-nextl,gl // gl=gl+next2-794286-nextl <next2-794286> 

43 movl $pr__fact, g4 //g4=prjact <pr_fact> 

44 movl -8(%ebp), %eax 

45 movl %eax, (%esp) 

46 jmp nextl_l 

47 // gl=<next2-794286>, g2=<34>, g3=<pr_facM-4>, g4=<prjact> 

48 nextl 1: 

49 main_2_l: 

50 .L98_l: 

51 leal -4(%esp), %esp 

52 addl $794286, gl //gl=gl+794286 <nextl> 

53 movl gl, %eax 

54 movl %eax, (%esp) 

55 movl g4,%eax &j(r Ifyfr 

56 jmp *%eax • ' — — 
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57 // gl=<next2,nextl,next3>, g2=<34,34 >, g3=<prJact_l-4„>, 

58 // g4=<pr_fact,scanf,printf>, g5=<?> 

59 endl: //client end 

60 next2: 

61 addl $4,%esp 

62 movl %ebp, %esp 

63 movl (%esp),%ebp 

64 leal 4(%esp), %esp 

65 leal 4(%esp), %esp 

66 jmp *-4(%esp) 

67 pr_fact_l : // guard installation site 

68 movl $100, gl // <?> 

69 movl $next 1 , %eax 

70 jmp guard 1_1 

71 //gl=<?> 

72 guardl_l: 

73 cmpl $endl,%eax 

74 jg guardl_2 

75 jmp guard 13 

76 //gl-<?> 

77 guardl_3: 

78 movl gl, %ecx 

79 addl (%eax), %ecx 

80 movl %ecx, gl 

81 addl $3,%eax 

82 jmp guardll 

83 //gl=<?> 

84 guardl_2: 

85 // end of checksumming: (g 1 ,G 1 ) 

86 movl $printf-Gl, %eax 

87 addl gl, %eax 

88 movl %eax,g4 // g4=gl+printf-Gl 

89 movl $-Gl+l, %eax 

90 addl gl,%eax 

91 movl %eax, -4(%ebp) 

92 jmp .L94 

93 // gl-<gl>, g4=<printf> 

94 .L94: 

95 leal 8+Gl(%ebp), %eax 

96 subl gl,%eax 

97 movl (%eax), %eax 

98 cmpl $l,%eax 

99 jg .L96 

100 jmp .L98 

101 //gl=<gl>,g4=<printf> - 

102 L96 p// lhl$ 

103 movl -4(%ebp), %eax I I ^* 

104 imul 8(%ebp), %eax — — — ~"~ ~~ 

105 movl %eax, -4(%ebp) 

106 subl $l,8(%ebp) 

107 jmp . .L94 

108 // g4-<printf> 

109 .L98: 

110 addl $-Gl+next3-794286,gl //gl=gl-Gl+next3-794286 <next3-794286> 

111 leal -4(%esp), %esp 

112 movl -4(%ebp), %eax 
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113 movl %eax, (%esp) 

114 leal -4(%esp), %esp 

115 movl $str2,(%esp) 

116 jmp .L98_l 

117 // gl=<next3-794286>, g4=<print£> 

118 next3: 

119 addl $8,%esp 

120 movl %ebp, %esp 

121 movl (%esp),%ebp 

122 leal 4(%esp), %esp 

123 leal 4(%esp), %esp 

124 jmp *-4(%esp) 
125 
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FIG. 15 
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Procedure precompute (variable v, link-nodes {x_l ,...,x_n}, 

constants {c_l,...,c_n}) 

Set live(v,x_j) = TRUE and value(v,x_i) = cj for all i = l,...,n; 

While (there is a link-node x and a variable v such that 
value(v,x) is defined but done(v,x)=FALSE) 

Let X = {x_l,...,x_n} be the entire set of link-nodes in the 

same basic block, say B, that contains x; 
Let t be the point within B for inserting evolve( ); 

If (no evolve( ) has previously been chosen for B) 

Choose a mathematical function evolve(U), where U is a (possibly 
empty) set of (new) global variables, with the following properties: 

(1) No u in U is reserved (i.e. no u in U that, for some z in pred- 
links(X), live(u,z)=TRUE but value(u,z) is undefined); 

(2) For any x_i in X where value(v,x_i) is defined, the common 
eyolve(U) is able to fiilfill value(v,x_i) by setting value(u,z) 
appropriately, for any u in U and z in pred-links(x_i) with 
unseen(u^,t)=TRUE; 

(3) For all x J in X where value(v,x_i) is undefined, the same 
evolve(U) is possible to fulfill any desired value for any future 
definition of value(u,x_i); 

Endif 

If (evolve( ) is newly chosen and is not the trivial identity function) 
Insert code at t of B for computing v=evolve(U); 

Endif 

For (all u in U and z in pred-links(x) where unseen(u,z,t)==TRUE) 

Set live(u,z) = TRUE and value(u,z) equal to some values such that these 
new values, together with other values of U already set along the paths to t 
through z, satisfy value(v,x)=evolve(U); 

End for 

For (each x_i in X where value(v,x_i) is underfined, and each u in U and z in 
pred-links(x_i) where unseen(u,z,t)=TRUE) 

Set live(u^) = TRUE; 
End for 

Set done(v,x) = TRUE; 

End while — - — — 

End procedure 
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Procedure unseen(variable v, link-node z, program point t) 

If (value(v,z) is undefined, and at the basic block that contains t, v is not defined in the 
code before t) 

return TRUE; 

Else 

return FALSE; 
End procedure 



FIG. 19i} 
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«ddr(x)=B 
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// (a) before change 

jmp 124 

II (b) after change 

cmpl %eax, (%esp) // args are randomly selected 

jl X013 //clone 

jmp .L24 

FIG. 22 
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tag 


shf 


E(len+shf) 


E(msg + shJ) j 



FTG.24 
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Preprocess the input code 


y 


i 


Install self-protecting i 


nechanisms to the code 


} 


f 


Embed watermarks and produce & program file 


i 




Assemble the file and link it with other resources (if any) 


i 


f 


Patch the file with data values 

i 


} 


f 


Remove symbol tables from the file 



1 

Attach additional information to the file 
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High-level instructions 




CI* I • j j • 

Simpler instructions 


call operand 
* 

next: . . . 




pushl Snext 
jmp operand 
next: . . . 


ret 




leal 4(%esp),%esp 
jmp * -4(%esp) 


enter 




pushl %ebp 

movl %esp, %ebp i 


leave 




movl %ebp, %esp 
popl %ebp 


pushl operand 




leal -4(%esp), %esp 
movl operand, (%esp) 


popl operand 




movl (%esp), operand 
leal 4(%esp), %esp 



FIG. 27 
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Software 


Encrypted customization parameters 


Digital signature 


Program Code 
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Wrong password 




After "bypassing" password 


password: abc 
Invalid password! 




password: abc 

n 7 100000 

next prime =100001 


Right password 




After further "corrections" 


password: opensesame 
n 7100000 

next prime = 100003 




password: abc 
n 7 100000 

Segmentation Fault (core dumped) 
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